diff options
Diffstat (limited to 'tests/chains/scenarios/trustanchors.cfg')
| -rw-r--r-- | tests/chains/scenarios/trustanchors.cfg | 114 |
1 files changed, 114 insertions, 0 deletions
diff --git a/tests/chains/scenarios/trustanchors.cfg b/tests/chains/scenarios/trustanchors.cfg new file mode 100644 index 000000000..db18990ac --- /dev/null +++ b/tests/chains/scenarios/trustanchors.cfg @@ -0,0 +1,114 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +scenario TrustAnchors + +entity RootCA + type Root + +entity CA1 + type Intermediate + issuer RootCA + +entity CA2 + type Intermediate + issuer CA1 + +entity EE1 + type EE + issuer CA2 + +entity OtherRoot + type Root + +entity OtherIntermediate + type Intermediate + issuer OtherRoot + +entity EE2 + type EE + issuer OtherIntermediate + +# Scenarios where trust only comes from the DB +db DBOnly + +import RootCA::CT,C,C +import CA1:RootCA: + +# Simple chaining - no trust anchors +verify EE1:CA2 + cert CA2:CA1 + result pass + +# Simple trust anchors - ignore the Cert DB +verify EE1:CA2 + trust CA2:CA1 + result pass + +# Redundant trust - trust anchor and DB +verify EE1:CA2 + cert CA2:CA1 + trust RootCA + result pass + + +# Scenarios where trust only comes from trust anchors +db TrustOnly + +# Simple checking - direct trust anchor +verify EE1:CA2 + cert CA2:CA1 + cert CA1:RootCA: + trust RootCA: + result pass + +# Partial chain (not self-signed), with a trust anchor +verify EE1:CA2 + trust CA2:CA1 + result pass + + +# Scenarios where trust comes from both trust anchors and the DB +db TrustAndDB + +import RootCA::CT,C,C +import CA1:RootCA: + +# Check that trust in the DB works +verify EE1:CA2 + cert CA2:CA1 + result pass + +# Check that trust anchors work +verify EE2:OtherIntermediate + cert OtherIntermediate:OtherRoot + trust OtherRoot: + result pass + +# Check that specifying a trust anchor still allows searching the cert DB +verify EE1:CA2 + trust_and_db + cert CA2:CA1 + trust OtherIntermediate:OtherRoot + trust OtherRoot: + result pass + +# Scenarios where the trust DB has explicitly distrusted one or more certs, +# even when the trust anchors indicate trust +db ExplicitDistrust + +import RootCA::CT,C,C +import CA1:RootCA:p,p,p +import OtherRoot::p,p,p + +# Verify that a distrusted intermediate, but trusted root, is rejected. +verify EE1:CA2 + cert CA2:CA1 + trust CA1:RootCA + result fail + +# Verify that a trusted intermediate, but distrusted root, is accepted. +verify EE2:OtherIntermediate + trust OtherIntermediate:OtherRoot + result pass |